Posts Tagged ‘security vulnerability’

Tuesday, November 19, 2013 @ 05:11 PM gHale

VMware released updates for VMware Workstation and VMware Player that fix a security vulnerability that attackers could use to host privilege escalation on Linux-based devices.

VMware Workstation for Linux 9.x prior to version 9.0.3 and VMware Player for Linux 5.x prior to version 5.0.3 suffer from the issue, according to the advisory published by the company. Fusion, ESX and ESXi do not have the problem.

Once an attacker has the otherwise secret tokens, he or she can use them to pretend to be a LinkedIn user linked to those tokens, and potentially access profile information using APIs.

Before handing over the sensitive data, JavaScript code on the help site checked the previously visited page ended up served from LinkedIn.com — a trivial HTTP referrer check that an attacker can easily circumvent. Thus, someone could log into LinkedIn and surf to a malicious web page with code embedded to poke the help site for the victim’s OAuth token.

“I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user,” Mitchell said in a blog post.

“You shouldn’t trust JavaScript or the referrer header exclusively for any kind of authorization policy,” he said.

Losing control of an OAuth token is less serious than compromised login credentials, but it is still bad. The good news is the fix was in before anyone knew about the problem as the flaw ended up responsibly disclosed.

Mitchell privately reported the flaw on July 3. The social network was able to squash the bug within a couple of days. The “fix” involved disabling requests without HTTP referrers, Mitchell said.

A LinkedIn spokesman said “We can confirm that we were notified of the OAuth vulnerability and took immediate action to fix the issue, which was resolved by our team within 48 hours of being notified.”

Wednesday, June 5, 2013 @ 03:06 PM gHale

Google issued a security update for its Chrome browser and Chrome Frame platform.

The update fixes one security vulnerability rated as critical, nine rated as high and one rated as medium. There was also a rollup set of fixes included as a high severity flaw contained bugs found through auditing, fuzzing and other in-house security processes.

The critical hole, memory corruption in SSL socket handling, and one of the high rated holes, didn’t result in any bounty paid, but the remaining eight high and medium severity holes saw nearly $10,000 paid out.

One high severity flaw, a use-after-free problem with workers access database APIs, earned $1,337, an amount that typically identifies an interesting problem identified, but this was not the largest bounty paid. That went to a Windows-only problem where bad handles passed to the renderer and earned the discoverer, Colin Payne, $2,000.

Existing installations of Chrome on Windows, Mac OS X and Linux should update automatically. Other users can download the browser or the Chrome Frame IE plug-in from Google.

Wednesday, June 5, 2013 @ 03:06 PM gHale

There is a security vulnerability in Windows that any user on the system can exploit to obtain administrator privileges, a security researcher said.

Rather than reporting the vulnerability to Microsoft, Google security expert Tavis Ormandy posted details to the Full Disclosure security mailing list in mid-May and has now published an exploit to the same mailing list.

With this latest vulnerability, Ormandy decided to issue the information on t he Full Disclosure list. After discovering a bug in the Windows kernel’s EPATHOBJ::pprFlattenRec function, he wrote to the list: “I don’t have much free time to work on silly Microsoft code” and solicited ideas on how to successfully exploit the bug. With the help of user progmboy, Ormandy then developed a privilege escalation exploit which he shared with the mailing list, noting that another exploit was already in circulation.

Researchers at heise Security were able to use the exploit to reproduce the problem. If the file opens, it can launch a command line that can run arbitrary commands with system privileges, regardless of the user’s own privileges – even a guest account works.

With the full notice, Microsoft will now have to plug the vulnerability as rapidly as possible, particularly given that black hats also now have access to the exploit code. A virus could utilize the exploit to shut down anti-virus software without a UAC prompt or to insert a rootkit deep into the system.

Microsoft said it was looking into the problem and would “take appropriate measures” to protect its customers. It was not able to say when they will be able to close off the vulnerability or how users could protect themselves from privilege escalation.

Monday, March 11, 2013 @ 10:03 PM gHale

Some printers manufactured by Hewlett-Packard, including 10 of its LaserJet Professional printers, have a security vulnerability that could allow an attacker to remotely access data, according to the Computer Emergency Response Team (CERT).

The problem stems from a telnet debug shell glitch that can allow an unauthenticated user to connect to the printer and in turn, glean data, according to CERT. HP’s Software Security Response Team wrote about the problem in a security bulletin last week.

HP is advising affected customers to download updated firmware for printers impacted by the bug from the company’s Support Center site. The company is also encouraging those still concerned with the vulnerability to email security-alert@hp.com for further guidance.

Printers have had a handful of security vulnerabilities of late, along with other Internet-enabled devices over the last few years.

Friday, October 12, 2012 @ 06:10 PM gHale

Mozilla temporarily removed Firefox 16 from the current installer page after it found a security vulnerability in the new version of its browser.

The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters, said Michael Coates, director of security assurance at Mozilla.

Mozilla does not, however, have any information the vulnerability is currently suffering from any exploitations, he said. It is working on a fix and plans to ship updates.

Users will automatically upgrade to the new version as soon as it becomes available, Coates said.

Firefox version 15 remains unaffected, and as a precaution users can downgrade to version 15.0.1. Or they can wait until Mozilla’s patches come out and automatically applied to address the vulnerability, Coates said.

The new version of the browser released and addressed a number of security vulnerabilities, including some considered critical.

Firefox had a 20.08 percent share of desktop browsers in September, compared to 53.63 percent share for Internet Explorer and 18.86 percent for Chrome, according to Web measurement company Net Applications.

Friday, October 5, 2012 @ 04:10 PM gHale

Oracle databases and SQL servers are open for attacks, some of which were previously unknown, researchers said.

In “Hacking the Oracle Client” at the DerbyCon 2.0 conference, security researcher Laszlo Toth demonstrated while Oracle saves the user name and password for a database connection in encrypted form in the client’s main memory, this data remains in memory after the session has ended and can easily end up decrypted.

A Trojan, for example, could exploit this to harvest plain-text passwords from the client, which he demonstrated by the ocioralog meterpreter extension.

Toth and another security researcher, Ferenc Spala, demonstrated how to hijack and exploit Oracle connections. Due to the unpatched TNS poisoning security vulnerability, their approach works with any standard Oracle database, unless special security measures for the TNS listener are in place.

They presented pytnsproxy TNS proxy, combined with a suitable Metasploit module called tnspoison, which allows unauthenticated attackers to sniff out or modify the connections to the database; arbitrary SQL commands can even go out using the TNS proxy.

The researchers presented a meterpreter extension called oralog; this extension is a password sniffer that writes the database passwords of all users who sign into the database server to a file in unencrypted form. Another Metasploit module that allows attackers to execute operating system commands is available for the oradebug hole.

The researchers made the extension for the Metasploit penetration testing platform available to other security testers and administrators.

Monday, October 1, 2012 @ 12:10 PM gHale

Smartphones running older versions of Android could also suffer from a wipe out by clicking on a single HTML link, which is the same security vulnerability that affects the Samsung Galaxy S III devices.

At first, a researcher from Germany’s Technical University Berlin, Ravi Borgaonkar, showed at the Ekoparty security conference in Argentina how he could wipe a Samsung Galaxy S III smartphone just by clicking on a single HTML link.

The USSD code to execute the wipe command could embed into a link or QR code, or sent to the device over a near-frequency-communications connection, Borgaonkar said. Just by clicking on the link in an email, Website, and even on social networks such as Twitter, was enough to trigger the command.

Samsung said they fixed the vulnerability through a software update and encouraged users to use the Over-the-Air capability to download the fix.

“We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update,” Samsung said.

While Borgaonkar’s presentation focused on Samsung Galaxy S III phones, he said later the vulnerability hit a wider pool of Android devices. So along those lines, Researcher Dylan Reeve verified the problem existed on an HTC One X running HTC Sense 4.0 on Android 4.0.3 (Ice Cream Sandwich) and a Motorola Defy running Cyanogen Mod 7 on Android 2.3.5 (Gingerbread).

The flaw appeared to originate in older versions of Google’s Android operating system, according to tests run by the Android Police blog. It turns out the vulnerability was in the standard Android dialer. While the vulnerability ended up fixed in the Android OS three months ago, many devices remained vulnerable because device manufacturers did not patch the flaw on their custom versions of Android and carriers did not push out a fix to their customers.

Tuesday, September 18, 2012 @ 10:09 AM gHale

The free DNS server BIND, which the Internet Systems Consortium (ISC) maintains, contains a security vulnerability that allows attackers to crash it using specially crafted data records, according to the Austrian national CERT.

The ISC said resource records with RDATA fields that exceed 65535 bytes cause the domain name server to crash the next time this record ends up queried.

ISC recommends users upgrade to one of the current versions – 9.7.7, 9.7.6-P3, 9.6-ESV-R8, 9.6-ESV-R7-P3, 9.8.4, 9.8.3-P3, 9.9.2 or 9.9.1-P3 – as soon as possible.

The Austrian national CERT said sealing off a server from the outside is not sufficient to protect it against an attack. Apparently, an email could trigger a name server query, causing the server to load the specially crafted record. That the query appears to come “from the inside” offers no protection in this case.

It remains unclear whether the flaw can only trigger server crashes or whether it can also inject malicious software.

Friday, April 13, 2012 @ 04:04 PM gHale

A new release of NVIDIA’s proprietary UNIX graphics drivers for Linux, Solaris and FreeBSD fixes a security vulnerability that allowed attackers to read and write arbitrary system memory in order to obtain root privileges.

To take advantage of the vulnerability, an attacker must have access permission for some device files, which for systems with these drivers is typically the case for users who can launch a graphical interface such as 3D acceleration.

Version 295.40 of the driver corrects this problem; for older drivers whose version numbers start with 195, 256 to 285, or 290 to 295, NVIDIA made patches available that change the vulnerable part of the kernel module belonging to the driver. Users who update the driver with this patch and use the CUDA debugger will also need to update the CUDA library before the debugger can work again.

NVIDIA has categorized the security hole as “high risk” and recommends users update to the new version if they use the drivers with GeForce 8, G80 Quadro graphics cards, or newer models from those lines. The company has not confirmed whether the problem also exists for older graphics card models or legacy drivers (such as the 173 line).